Fix leak with ASSIGN_OBJ on null

We still need to free op1 in this case.

Fixes oss-fuzz 5782176231194624 (part of #38542).

Author: nikic

ext/opcache/jit/zend_jit_x86.dasc

@@ -13731,11 +13731,12 @@ static int zend_jit_assign_obj_op(dasm_State          **Dst,
 				} else {
 					|	EXT_CALL zend_jit_invalid_property_assign, r0
 				}
+				may_throw = 1;
 				if (((opline+1)->op1_type & (IS_VAR|IS_TMP_VAR))
 				 && (val_info & (MAY_BE_REF|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE))) {
 					|	jmp >8
 				} else {
-					|	jmp ->exception_handler
+					|	jmp >9
 				}
 				|.code
 			}
@@ -14067,7 +14068,7 @@ static int zend_jit_assign_obj(dasm_State          **Dst,
 				 && (val_info & (MAY_BE_REF|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE))) {
 					|	jmp >7
 				} else {
-					|	jmp ->exception_handler
+					|	jmp >9
 				}
 				|.code
 			}

ext/opcache/tests/jit/assign_obj_on_null.phpt

@@ -0,0 +1,37 @@
+--TEST--
+ASSIGN_OBJ on null reference returned from __get()
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+--FILE--
+<?php
+class Test {
+    public $prop;
+    public function &__get($name) {
+        return $this->prop;
+    }
+}
+function test() {
+    $obj = new Test;
+    $obj->x->y = 1;
+}
+function test2() {
+    $obj = new Test;
+    $obj->x->y += 1;
+}
+try {
+    test();
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    test2();
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+Attempt to assign property "y" on null
+Attempt to assign property "y" on null